We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-site Scripting (XSS) - Stored in zhongshaofa/easyadmin

Valid

Reported on

Sep 16th 2021

Description

Stored XSS in FileName allows for arbitrary execution of JavaScript

Proof of Concept

At Upload Management 
Upload File Image with filename : Sun'><img src=x onerror=alert(1)>set.jpg

Image Upload File

https://user-images.githubusercontent.com/31820707/133646077-b6a14692-fea3-4a37-95e7-eb4c4e6f9073.png

Image XSS Trigger

https://user-images.githubusercontent.com/31820707/133646262-b3cd6b88-90ab-4ba9-be98-c6391cf53d75.png

Impact

If a normal user account can upload this file, then when admin accesses this Upload Management page XSS will be triggered from which attacker can steal admin's cookie.

We have contacted a member of the zhongshaofa/easyadmin team and are waiting to hear back 2 years ago
Mr.Chung
2 years ago

Maintainer

目前上传文件之后,都会重命名为MD5格式进行保存的,这个问题应该是不存在,如果可以复现的话,麻烦提供一下复现步骤

Mr.Chung
2 years ago

Maintainer

At present, after uploading files, they will be renamed to MD5 format for saving. This problem should not exist. If they can be reproduced, please provide the reproduction steps

lethanhphuc
2 years ago

Researcher

You can check video and file image PoC hear : PoC

Mr.Chung validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mr.Chung marked this as fixed with commit 0f8927 2 years ago
Mr.Chung has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation